DIONAEA:submission module

Mark Schloesser spoke about Dionea during his presentation at the FIRST-TC KL 2009, last December and that got us really excited. A few MyCERT folks had a chance to do a ‘class’ with him as well and got some exposure with the its internal.

We are replacing some of the nepenthes instances with Dionaea . However, the lack of centralized logging and submission features on Dionaea, required us to code our own submission module. At first, it was a little bit confusing (due to my lack of understanding on Dionaea inner working code) on the process to build the module. After a few IRC sessions (Dionaea’s IRC is @freenode on #nepenthes) with Markus ( Dionaea Developer) , we managed to get the module working (we dump binaries and connection log too). Below is some output from submission log:

Below is the module for the submission (bare in mind, that this my 1st time coding in Python). Please refer to few modules such as surfids.py,logsql.py, test.py to have more examples on using the modules.

Python

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

fromdionaea importihandler,incident,g_dionaea

fromdionaea importconnection

importlogging

importjson

importtime

globalp

logger=logging.getLogger('submission')

logger.setLevel(logging.DEBUG)

classmycertsubmitdownloadihandler(ihandler):

def__init__(self,path):

logger.debug("%s ready!"%(self.__class__.__name__))

ihandler.__init__(self,path)

defhandle_incident_dionaea_download_complete_hash(self,icd):

logger.debug("submitting file to submission server")

try:

tos=g_dionaea.config()['submission']

except:

return

forto intos:

if'urls'noting_dionaea.config()['submission'][to]:

logger.warn("your configuration lacks urls to submit to %s"%to)

continue

forurl ing_dionaea.config()['submission'][to]['urls']:

i=incident("dionaea.upload.request")

# i=icd

i.url=url

i.flags='success'

i.file=icd.file

i.repo_ip=icd.url

i.attacker_ip=icd.con.remote.host

i.sensor_ip=icd.con.local.host

i.timestamp=str(time.strftime("%Y%m%d:%H:%M:%S",time.localtime()))

i.md5=icd.md5hash

i.attacker_port=str(icd.con.remote.port)

i.sensor_port=str(icd.con.local.port)

# copy all values for this url for submission's section

forkey ing_dionaea.config()['submissiont'][to]:

ifkey=='urls':

continue

i.set(key,g_dionaea.config()['submission'][to][key])

i.report()

defhandle_incident_dionaea_download_offer(self,icd):

logger.debug("submitting attempt download info to submission server")

try:

tos=g_dionaea.config()['submission']

except:

return

forto intos:

if'urls'noting_dionaea.config()['submission'][to]:

logger.warn("your configuration lacks urls to submit to %s"%to)

continue

forurl ing_dionaea.config()['submission'][to]['urls']:

i=incident("dionaea.upload.request")

i.url=url

#i.file = icd.file

i.flags='attempt'

i.repo_ip=icd.url

i.attacker_ip=icd.con.remote.host

i.sensor_ip=icd.con.local.host

i.timestamp=str(time.strftime("%Y%m%d:%H:%M:%S",time.localtime()))

#i.md5 = icd.md5hash

i.attacker_port=str(icd.con.remote.port)

i.sensor_port=str(icd.con.local.port)

# copy all values for this url for submission's section

forkey ing_dionaea.config()['submission'][to]:

ifkey=='urls':

continue

i.set(key,g_dionaea.config()['submission'][to][key])

i.report()

The Dionaea’s config file need to be changed to reflect the module. Here is the sample for the Dionaea’s config (only portion of submission’s part):

Shell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

submission=

{

mysubmit=

{

urls=["http://your_url_here/upload.php"]

sensorname="sensor1"

email="lala@gmail.com"

file_fieldname="upfile"

user="user1"

MAX_FILE_SIZE="1500000"

pass="yourpassword"

submit="Submit for analysis"

}

}

As for upload.php, you can use similar code here (warning: this is just a sample code, modify accordingly to fit your security requirements):